summaryrefslogtreecommitdiffstats
path: root/source4/kdc/hdb-ldb.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/kdc/hdb-ldb.c')
-rw-r--r--source4/kdc/hdb-ldb.c70
1 files changed, 40 insertions, 30 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index b751ff33c0..ee5bed2682 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -39,6 +39,8 @@
#include "lib/ldb/include/ldb.h"
#include "system/iconv.h"
+enum hdb_ldb_ent_type
+{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_ANY };
static const char * const krb5_attrs[] = {
"objectClass",
@@ -95,7 +97,7 @@ static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, con
return timegm(&tm);
}
-static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_ent_type ent_type)
+static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_ldb_ent_type ent_type)
{
HDBFlags flags = int2HDBFlags(0);
@@ -109,32 +111,32 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h
/* Account types - clear the invalid bit if it turns out to be valid */
if (userAccountControl & UF_NORMAL_ACCOUNT) {
- if (ent_type == HDB_ENT_TYPE_CLIENT || ent_type == HDB_ENT_TYPE_ENUM) {
+ if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
flags.client = 1;
}
flags.invalid = 0;
}
if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
- if (ent_type == HDB_ENT_TYPE_CLIENT || ent_type == HDB_ENT_TYPE_ENUM) {
+ if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
flags.client = 1;
}
flags.invalid = 0;
}
if (userAccountControl & UF_WORKSTATION_TRUST_ACCOUNT) {
- if (ent_type == HDB_ENT_TYPE_CLIENT || ent_type == HDB_ENT_TYPE_ENUM) {
+ if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
flags.client = 1;
}
- if (ent_type == HDB_ENT_TYPE_SERVER || ent_type == HDB_ENT_TYPE_ENUM) {
+ if (ent_type == HDB_LDB_ENT_TYPE_SERVER || ent_type == HDB_LDB_ENT_TYPE_ANY) {
flags.server = 1;
}
flags.invalid = 0;
}
if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
- if (ent_type == HDB_ENT_TYPE_CLIENT || ent_type == HDB_ENT_TYPE_ENUM) {
+ if (ent_type == HDB_LDB_ENT_TYPE_CLIENT || ent_type == HDB_LDB_ENT_TYPE_ANY) {
flags.client = 1;
}
- if (ent_type == HDB_ENT_TYPE_SERVER || ent_type == HDB_ENT_TYPE_ENUM) {
+ if (ent_type == HDB_LDB_ENT_TYPE_SERVER || ent_type == HDB_LDB_ENT_TYPE_ANY) {
flags.server = 1;
}
flags.invalid = 0;
@@ -208,7 +210,7 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h
*/
static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
TALLOC_CTX *mem_ctx, krb5_const_principal principal,
- enum hdb_ent_type ent_type, struct ldb_message *realm_msg,
+ enum hdb_ldb_ent_type ent_type, struct ldb_message *realm_msg,
struct ldb_message *msg,
hdb_entry *ent)
{
@@ -217,18 +219,13 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
int i;
krb5_error_code ret = 0;
const char *dnsdomain = ldb_msg_find_string(realm_msg, "dnsDomain", NULL);
- char *realm = talloc_strdup(mem_ctx, dnsdomain);
+ char *realm = strupper_talloc(mem_ctx, dnsdomain);
if (!realm) {
krb5_set_error_string(context, "talloc_strdup: out of memory");
ret = ENOMEM;
goto out;
}
-
- /* TODO: Use Samba charset functions */
- for (i=0; i< strlen(realm); i++) {
- realm[i] = toupper(realm[i]);
- }
krb5_warnx(context, "LDB_message2entry:\n");
@@ -237,7 +234,7 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
userAccountControl = ldb_msg_find_int(msg, "userAccountControl", 0);
ent->principal = malloc(sizeof(*(ent->principal)));
- if (ent_type == HDB_ENT_TYPE_ENUM && principal == NULL) {
+ if (ent_type == HDB_LDB_ENT_TYPE_ANY && principal == NULL) {
const char *samAccountName = ldb_msg_find_string(msg, "samAccountName", NULL);
if (!samAccountName) {
krb5_set_error_string(context, "LDB_message2entry: no samAccountName present");
@@ -277,7 +274,7 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
ent->flags = uf2HDBFlags(context, userAccountControl, ent_type);
- if (ent_type == HDB_ENT_TYPE_KRBTGT) {
+ if (ent_type == HDB_LDB_ENT_TYPE_KRBTGT) {
ent->flags.invalid = 0;
ent->flags.server = 1;
}
@@ -444,7 +441,7 @@ out:
static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_context *ldb_ctx,
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
- enum hdb_ent_type ent_type,
+ enum hdb_ldb_ent_type ent_type,
const char *realm_dn,
struct ldb_message ***pmsg)
{
@@ -483,19 +480,19 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
switch (ent_type) {
- case HDB_ENT_TYPE_KRBTGT:
+ case HDB_LDB_ENT_TYPE_KRBTGT:
filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))",
KRB5_TGS_NAME);
break;
- case HDB_ENT_TYPE_CLIENT:
+ case HDB_LDB_ENT_TYPE_CLIENT:
filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(|(samAccountName=%s)(userPrincipalName=%s)))",
short_princ, princ_str_talloc);
break;
- case HDB_ENT_TYPE_SERVER:
+ case HDB_LDB_ENT_TYPE_SERVER:
filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(|(samAccountName=%s)(servicePrincipalName=%s)))",
short_princ, short_princ);
break;
- case HDB_ENT_TYPE_ENUM:
+ case HDB_LDB_ENT_TYPE_ANY:
filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(|(|(samAccountName=%s)(servicePrincipalName=%s))(userPrincipalName=%s)))",
short_princ, short_princ, princ_str_talloc);
break;
@@ -710,6 +707,7 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
{
struct ldb_message **msg = NULL;
struct ldb_message **realm_msg = NULL;
+ enum hdb_ldb_ent_type ldb_ent_type;
krb5_error_code ret;
const char *realm;
@@ -736,17 +734,29 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
/* Cludge, cludge cludge. If the realm part of krbtgt/realm,
* is in our db, then direct the caller at our primary
* krgtgt */
- if (ent_type == HDB_ENT_TYPE_SERVER
- && principal->name.name_string.len == 2
- && (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) == 0)
- && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
- mem_ctx, principal->name.name_string.val[1], NULL) == 0)) {
- ent_type = HDB_ENT_TYPE_KRBTGT;
+
+ switch (ent_type) {
+ case HDB_ENT_TYPE_SERVER:
+ if (principal->name.name_string.len == 2
+ && (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+ && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx, principal->name.name_string.val[1], NULL) == 0)) {
+ ldb_ent_type = HDB_LDB_ENT_TYPE_KRBTGT;
+ } else {
+ ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER;
+ }
+ break;
+ case HDB_ENT_TYPE_CLIENT:
+ ldb_ent_type = HDB_LDB_ENT_TYPE_CLIENT;
+ break;
+ case HDB_ENT_TYPE_ANY:
+ ldb_ent_type = HDB_LDB_ENT_TYPE_ANY;
+ break;
}
ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db,
mem_ctx,
- principal, ent_type, realm_dn, &msg);
+ principal, ldb_ent_type, realm_dn, &msg);
if (ret != 0) {
char *alias_from = principal->name.name_string.val[0];
@@ -754,7 +764,7 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
Principal alias_principal;
/* Try again with a servicePrincipal alias */
- if (ent_type != HDB_ENT_TYPE_SERVER && ent_type != HDB_ENT_TYPE_ENUM) {
+ if (ent_type != HDB_LDB_ENT_TYPE_SERVER && ent_type != HDB_LDB_ENT_TYPE_ANY) {
talloc_free(mem_ctx);
return ret;
}
@@ -857,7 +867,7 @@ static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hd
if (priv->index < priv->count) {
ret = LDB_message2entry(context, db, mem_ctx,
- NULL, HDB_ENT_TYPE_ENUM,
+ NULL, HDB_LDB_ENT_TYPE_ANY,
priv->realm_msgs[0], priv->msgs[priv->index++], entry);
} else {
ret = HDB_ERR_NOENTRY;